[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

Nils Dagsson Moskopp nils at dieweltistgarnichtso.net
Wed Mar 20 16:41:14 PDT 2013

Anne van Kesteren <annevk at annevk.nl> schrieb am Wed, 20 Mar 2013
17:31:14 -0400:

> If you do an XMLHttpRequest from a document hosted at
> /superlonghashkeythatactsasauthenticationtoken you probably do not
> want to expose the Referer header.

A GET request should be idempotent, so what would be the problem? If
subsequent access changes the state of the resource, that seems broken.

> Now 1) this document should be
> hosted over https so this is less likely to be a concern given actual
> implementations of Referer over https and b) for same-origin requests
> this matters less (if at all), it still seems better if anonymous is
> anonymous.

I'd suggest using HMACs instead of hashes for signed action URLs. Right?

Nils Dagsson Moskopp // erlehmann

More information about the whatwg mailing list